b'    INFORMATION ASSURANCE OF THE DEFENSE CIVILIAN\n             PERSONNEL DATA SYSTEM - NAVY\n\n\n\nReport Number 98-127                            April 29 1998\n\n\n\n\n              Office of the Inspector General\n                  Department of Defense\n\x0c  Additional Information and Copies\n\n  To obtain additional copies of this audit report, contact the Secondary Reports\n  Distribution Unit of the Analysis, Plamring, and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or FAX (703) 604-8932 or visit the Insnector\n  General, DOD, Home Page-at: k&W.DdDIG.OSD.MIL.\n\n  Suggestions for Audits\n\n  To suggest ideas for or to request future audits, contact the Planning and\n  Coordination Branch of the Analysis, Planning, and Technical Support\n  Directorate at (703) 604-8908 (DSN 664-8908) or FAX (703) 604-8932. Ideas\n  and requests can also be mailed to:\n\n                     OAIG-AUD (ATTN: APTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                     400 Army Navy Drive (Room 801)\n                     Arlington, Virginia 22202-2884\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to\n  Hotline@DODIG.OSD.MIL; or by writing to the Defense Hotline, The\n  Pentagon, Washington, D.C. 20301-1900. The identity of each writer and caller\n  is fully protected.\n\n\n\n\nAcronyms\n\nDCPDS               Defense Civilian Personnel Data System\nHRO                 Human Resources Off&\n\x0c                             INSPECTOR     GENERAL\n                             DEPARTMENT   OF DEFENSE\n                               400 ARMY NAVY DRIVE\n                             ARLINGTON. VIRGINIA 22202\n\n\n\n\n                                                                         April 29, 1998\n\nMEMORANDUM FOR ASSISTANT SECRETARY OF THE NAVY (FINANCIAL\n                 MANAGEMENT AND COMPTROLLER)\n               ASSISTANT SECRETARY OF THE AIR FORCE\n                 (FINANCIAL MANAGEMENT AND COMPTROLLER)\n\nSUBJECT: Audit Report on Information Assurance of the Defense Civilian Personnel\n         Data System - Navy (Report No. 98-127)\n\n\n        We are providing this audit report for your information and use. This is the\nthird of four reports on the Defense Civilian Personnel Data System by the Office of\nInspector General, DOD. We considered management comments on a draft of this\nreport in preparing the final report.\n\n        Management comments on the draft of this report conformed to the\nrequirements of DOD Directive 7650.3 and left no unresolved issues. Therefore, no\nadditional comments are required.\n\n       We appreciate the courtesies extended to the audit staff. Questions on the audit\nshould be directed to Ms. Mary Lu Ugone, Audit Program Director, at (703) 604-9049\n(DSN 664-9049); Ms. Cecelia A. Miggins, Audit Project Manager, at (703) 604-9046\n(DSN 664-9046); or Ms. Kathleen Fitzpatrick, Audit Team Leader, at (703) 604-8974\n(DSN) 664-8974. See Appendix D for the report distribution. The audit team\nmembers are listed inside the back cover.\n\n\n\n\n                                        David K. Steen&a\n                                 Deputy Assistant Inspector General\n                                           for Auditing\n\x0c\x0c                         Offke of the Inspector General, DOD\n\nReport No. 98-127                                                        April 29,199s\n   (Project No. 7RE-3006.02)\n\n                 Information Assurance of the Defense Civilian\n                        Personnel Data System - Navy\n\n                                Executive Summary\n\nIntroduction. This report is the third of four reports in our ongoing review of the\nDefense Civilian Personnel Data System. The first report discussed acquisition\nmanagement controls for the Defense Civilian Personnel Data System and the second\nreport discussed the information assurance controls for the overall system. The\nDefense Civilian Personnel Data System is an automated information system that will\nprocess sensitive-but-unclassified personnel information for 209,000 Navy and Marine\nCorps civilian personnel records at 8 regional personnel centers and approximately\n100 customer support units.\n\nAudit Objectives. The overall audit objective was to evaluate the adequacy of\ninformation assurance for the Defense Civilian Personnel Data System as it relates to\nthe Navy. Specifically, we evaluated security planning, risk analysis, and security\nmanagement. We did not evaluate the security of network and communications\ninfrastructure because DOD resources were not available to conduct vulnerability\nassessments. We also reviewed the management control program as it applied to the\naudit objectives. Appendix A discusses the audit process. Appendix B provides a\nsummary of prior coverage related to the audit objectives.\n\nAudit Results. The Navy Pacific Region and two of its three human resources offices\nhave made Defense Civilian Personnel Data System information assurance a high\npriority and have computer security programs in place. However, at the beginning of\nthe audit, its Human Resources Office Marine Corps Base Hawaii Kaneohe Bay did not\nhave a security program in place. As a result of the inadequate information assurance\ncontrols at Human Resources Office Marine Corps Base Hawaii Kaneohe\xe2\x80\x99Bay, the\nNavy cannot ensure the confidentiality, integrity, and availability of more than\n209,000 Navy and Marine Corps civilian personnel records. See Part I for the\ncomplete discussion and Appendix A for details on the management control program.\n\nCorrective Actions Taken or Planned. The Human Resources Office Marine Corps\nBase Hawaii Kaneohe Bay has taken corrective action during the audit by developing a\nsecurity policy and interim authority to operate and by conducting a system security test\nand evaluation. It has also appointed key security management positions and\nestablished a risk analysis safeguard checklist to identify and define overall system\nthreats and vulnerabilities for the computers that run the Defense Civilian Personnel\nData System, and it has initiated ongoing security awareness training in accordance\nwith the Computer Security Act of 1987.\n\x0cSummary of Recommendations. We recommend that the Human Resources Office\nMarine Corps Base Hawaii Kaneohe Bay improve the adequacy of its Defense Civilian\nPersonnel Data System information assurance program by completing an overall\nsecurity plan and a contingency plan.\n\nManagement Comments. The Department of the Navy concurred with the\nrecommendations and has initiated needed actions. See Part I for a discussion of\nmanagement comments and Part III for the complete text of the management\ncomments.\n\n\n\n\n                                           ii\n\x0cTable of Contents\n\nExecutive Summary                                       i\n\nPart I - Audit Results\n      Audit Background                                 2\n      Audit Objectives                                 4\n      Information Assurance Program                    5\n\nPart II - Additional Information\n      Appendix A. Audit Process\n        Scope and Methodology                          14\n        Management Control Program Review              15\n      Appendix B. Summary of Prior Coverage            16\n      Appendix C. Glossary                             20\n      Appendix D. Report Distribution                  23\n\nPart III - Management Comments\n      Department of the Navy Comments                  26\n      Civilian Personnel Management Service Comments   28\n\x0c\x0c,\n\n\n    Part I - Audit Results\n\x0cAudit Background\n        Defense Civilian Personnel Data System. The modern Defense Civilian\n        Personnel Data System (DCPDS) will provide a seamless automated information\n        system for civilian personnel policy actions and personnel decisions during\n        peacetime, contingencies, and wartime. The modem DCPDS will support\n        Military Departments and Defense agencies worldwide and will be used by\n        personnel officials, employees, managers, and senior leadership at all levels of\n        DOD operations. The current operational DCPDS is an interim system designed\n        to improve and enhance personnel staffs during the DOD transition to the\n        modem DCPDS. The interim DCPDS, which this report refers to as DCPDS,\n        resides on a mainframe computer and has separate databases at Military\n        Department or Defense agency levels to support civilian personnel operations.\n        The DCPDS databases are maintained at the Defense Information Systems\n        Agency Defense Megacenter, located at Kelly Air Force Base, San Antonio,\n        Texas. The DCPDS stores, processes, and transmits data for 750,000 personnel\n        records, of which 209,000 belong to the Navy and Marine Corps and are\n        subject to the Privacy Act of 1974 and the Freedom of Information Act. For\n        security purposes, the DCPDS data are labeled \xe2\x80\x9csensitive-but-unclassified. n\n\n        The DCPDS Acquisition Program Manager has been delegated responsibility for\n        the overall protection of the DCPDS information and the computer resources.\n        The responsibility for the confidentiality, integrity, and availability of the\n        DCPDS information resides with all DOD organizations and persons who have\n        access to the records.\n\n        The Navy Regions. The modem DCPDS will enable the Military Departments\n        and the Defense agencies to process, store, and transmit civilian personnel\n        records on databases at 22 regional service centers. Regionalization of civilian\n        personnel operations began in FY 1995. The Navy is consolidating hundreds of\n        full-service Navy and Marine C?rps personnel offices into eight regions called\n        human resources service centers . In October 1996, the Navy established the\n        Pacific Region, Honolulu, Hawaii.\n\n        A region is the repository for official personnel files and regional DCPDS\n        databases. A Navy region maintains a regional database containing personnel\n        records of serviced employees, and the regional database updates the Navy\n        DCPDS database in San Antonio, Texas. The personnel data are transmitted\n        using the Internet. Additionally, the Navy DCPDS database feeds data to other\n        DOD databases; for example, it feeds them to the Defense Civilian Payroll\n        System and the Navy Headquarters System.\n\n\n\n\n\xe2\x80\x98Regions are called human resources service centers by the Navy and regional service centers by DOD.\n\n\n\n\n                                                  2\n\x0c        A region\xe2\x80\x99s mission is to provide information management and processing\n        support for position classification, personnel recruitment and staffing, workforce\n        development, employee benefits and services, and related records management.\n        The Navy and the Marine Corps will reestablish the remaining portions of qeir\n        civilian personnel offices as independently operated human resources offices\n        (HROs) focusing primarily on personnel program planning and oversight, policy\n        analysis and development, and management advice and consultation for\n        personnel management within their respective commands. Under the\n        regionalization concept, HROs will support a customer service environment and\n        provide advisory services. In October 1996, three HROs became operational in\n        the Pacific Region at the following locations:\n\n                 l   Pearl Harbor Naval Shipyard, Hawaii;\n\n                 l   Commander Naval Base Pearl Harbor, Hawaii; and\n\n                 l   Marine Corps Base Hawaii Kaneohe Bay, Hawaii.\n\n        Safeguarding Personnel Data. DOD civilian personnel data are subject to\n        provisions of the Privacy Act of 1974 and the Freedom of Information Act.\n        The Privacy Act of 1974 generally requires Federal agencies to safeguard\n        personal information from disclosure to any other organization or individual\n        without the consent of the individual to whom the information pertains. The\n        Privacy Act of 1974 also requires each agency to account for disclosures of\n        information to other organizations and individuals. The Freedom \xe2\x80\x98of\n        Information Act requires agencies to make information available to the public\n        but excludes from that disclosure personnel information that would constitute an\n        invasion of privacy. The DCPDS for the Navy must meet provisions of the\n        Privacy Act of 1974 to safeguard the personnel data.\n\n        The policy and procedures for safeguarding sensitive-but-unclassified DOD\n        information are prescribed in DOD Directive 5200.28, \xe2\x80\x9cSecurity Requirements\n        for Automated Information Systems (AISs),\xe2\x80\x9d March 21, 1988. \xe2\x80\x9cInformation\n        assurance\xe2\x80\x9d and \xe2\x80\x9ccomputer security, n as used in this report, are intended to be\n        synonymous. Please see Appendix C for a glossary of terms used in this report.\n\n\n\n\n2Support units are called human resources offices by the Navy and customer support units by DOD.\n\n\n\n\n                                                  3\n\x0cAudit Objectives\n\n     The overall audit objective was to evaluate the adequacy of information\n     assurance of DCPDS for the Navy. Specifically, we evaluated security\n     planning, risk analysis, and security management. We did not evaluate the\n     security of network and communications infrastructure because DOD resources\n     were not available to conduct vulnerability assessments. We also reviewed the\n     adequacy of the DCPDS management control program as it applied to the\n     overall audit objective. See Appendix A for a discussion of the audit scope and\n     methodology and the review of the management control program. Appendix B\n     provides a summary of prior coverage related to the audit objectives.\n\n\n\n\n                                         4\n\x0c                Information Assurance Program\n                     Navy Pacific             and two     its three         possess a security\n                         security                      plan,       interim            to\n                They        conduct           security test and evaluations, risk analyses,\n                     security training and awareness programs; appoint             security\n                                           and have           access controls and\n                security            in         However, at the beginning of          audit, its\n                       Marine Corps          Hawaii Kaneohe Bay did           have\n                                               the audit, the HRO Marine             Base\n                Hawaii Kaneohe Bay                                       and an interim\n                authority to operate, conducted a system security test           evaluation and\n                                      and awareness program, appointed key security\n                management positions, and conducted risk analysis                        and\n                defme overall                     and vulnerabilities                  DOD\n                Directive 5200.28, \xe2\x80\x9cSecurity                      for Automated Information\n                Systems                      21, 1988. However,                                 for\n                           Marine           Base Hawaii Kaneohe Bay still\n                                            does      have                       plan       a\n                contingency\n\n                         the DCPDS functional and acquisition managers did not\n                coordinate with the         about\n                      and responsibilities for the DCPDS information\n\n                                                         the Navy cannot ensure the\n                confidentiality, integrity, and                  pore than 209,000 Navy\n                    Marine                                        that    processed   the\n                DCPDS.\n\n\nRequirements           for Information            Assurance Controls\n\n        Federal Guidance. Office of Management and Budget Circular No. A-130,\n        \xe2\x80\x9cManagement of Federal Information Resources, n February 8, 1997, recognizes\n        the need for special management attention for security of automated information\n        systems because of the risk and magnitude of harm that could result from the\n        loss, misuse, or unauthorized access to or modification of management\n        information. In addition, Circular A-130 requires agencies to recognize that, in\n        Federal Government information systems involving personal information, the\n        individual\xe2\x80\x99s right to privacy must be protected.\n\n?he Navy Pacific Region maintains a database containing more than 9,000 records. The database links\n to and updates the DCPDS Navy database, which could allow for possible access to more than 209,000\n records if it lacks information assurance controls.\n\n\n\n\n                                              .   5\n\x0cInformation   Assurance Program\n\n\n       Circular A-130 directs all Federal agencies to protect information commensurate\n       with the risk and magnitude of harm that would result from the loss, misuse, or\n       unauthorized access to or modification of such information. Circular A-130\n       requires agencies to incorporate minimum controls for all Government\n       automated information system security programs to include the following:\n\n                  Assign responsibility for security of each major application to a\n                  management official knowledgeable in the nature of the information\n                  and information process supported by the application and in the\n                  management, personnel, operational and technical controls used to\n                  protect it. This official shall assure that efkctive security products and\n                  techniques are appropriately used in the application and shall be\n                  contacted when a security incident occurs concerning the application.\n\n       DOD civilian personnel data are subject to provisions of the Privacy Act of\n       1974 (the Privacy Act). The Privacy Act generally requires Federal agencies to\n       safeguard personal information from disclosure to any other organization or\n       individual without the consent of the individual to whom the information\n       pertains. The Privacy Act also requires each agency to account for disclosures\n       of information to other organizations and individuals.\n\n       The Computer Security Act of 1987 requires that Federal agencies develop\n       computer security plans for all Federal computer systems that contain sensitive\n       information to assure their integrity, availability, or confidentiality. Sensitive\n       information as defined by the Computer Security Act of 1987 is:\n\n                  . . . any information, the loss, misuse, or authorized access to, or\n                  modification of which could adversely affect the national interest or\n                  the conduct of Federal programs, or the privacy of which individuals\n                  areentitled....\n\n       DOD Security Requirements.        DOD Directive 5200.28 incorporates the\n       provisions of Circular A-130 and provides mandatory minimum automated\n       information system security requirements for systems that process sensitive-but-\n       unclassified information. DOD Directive 5200.28 states that, as a minimum, a\n       risk management program should be in place to determine how much protection\n       is required, how much exists, and the most economical way of providing the\n       needed protection. According to DOD Directive 5200.28, risk management is\n       the total process of identifying, measuring, and minimizing uncertain events\n       affecting automated information system resources. It includes conducting a risk\n       analysis, cost benefit analysis, safeguard selection and implementation, security\n       test and evaluation, and systems review. A risk analysis identifies threats and\n       vulnerabilities and categorizes the level of risk associated with each.\n\n\n\n\n                                                  6\n\x0c                                                    Information Assurance Program\n\n\nExisting Controls\n\n     The Navy Pacific Region, HRO Pearl Harbor Naval Shipyard, and HRO\n     Commander Naval Base Pearl Harbor have made DCPDS information assurance\n     a high priority and have security programs in place. The offices have\n     performed a computer security accreditation and conducted a risk analysis to\n     identify security risks. As of July 1997, the HRO Pearl Harbor Naval Shipyard\n     and HRO Commander Naval Base Pearl Harbor submitted computer security\n     accreditation packages to the base Information System Security Officer and are\n     waiting for the designated approving authority to accredit the DCPDS computer\n     resources.\n\n     Specifically, the sites possess security policy and plans; have system access\n     controls and physical security controls in place; and have performed a computer\n     security accreditation, which included the following:\n\n               contingency plan,\n\n               security test and evaluation,\n\n               risk analysis safeguard checklist,\n\n               security awareness training,\n\n               appointment of key security management positions, and\n\n               interim authority to operate on the local area network.\n\n     See Appendix C for a glossary of terms.\n\n     Corrective Action Taken. The HRO Marine Corps Base Hawaii Kaneohe Bay\n     has taken corrective action since the start of the audit by performing a risk\n     analysis safeguard checklist, system security test and evaluation, computer\n     survey, and security policy for the computers that run DCPDS. The Marine\n     Corps Base Hawaii has an interim authority to operate the DCPDS on the local\n     area network not to exceed 1 year.\n\n     Also, the HRO Marine Corps Base Hawaii Kaneohe Bay and the Marine Corps\n     Base Hawaii have initiated ongoing security awareness training.\n\n     The HRO Marine Corps Base Hawaii Kaneohe Bay and the Marine Corps Base\n     Hawaii have completed appointment letters for key security management\n     positions. The letters were awaiting signature of the base designated approving\n     authority.\n\n     Actions That Still Need To Be Taken. The HRO Marine Corps Base Hawaii\n     Kaneohe Bay still needs to implement a security plan and contingency plan.\n\n\n\n\n                                          7\n\x0cInformation Assurance Program\n\n\n              Security Plan. The Computer Security Act of 1987 requires computer\n      security plans to be developed for all Federal computer systems that contain\n      sensitive information to ensure their integrity, availability, and confidentiality.\n      The security plan describes the strategy for implementing information assurance\n      and establishes a methodology for validating the security requirements identified\n      in the security policy.\n\n      Without an established security plan, the HRO Marine Corps Base Hawaii\n      Kaneohe Bay has no assurance that it has developed a strategy for implementing\n      information assurance controls and a methodology for validating security\n      requirements.\n\n              Contingency Plan. DOD Directive 5200.28 requires that contingency\n      plans be developed and tested to ensure that automated information system\n      security controls function reliably and, if they do not, that adequate backup\n      functions are in place to ensure that security functions are maintained\n      continuously during interrupted service. DOD Directive 5200.28 also states that\n      recovery procedures must be in place in case data are modified or destroyed.\n      The HRO Marine Corps Base Hawaii Kaneohe Bay did not have a contingency\n      plan. As a result, the HRO Marine Corps Base Hawaii Kaneohe Bay has no\n      assurance that it can recover from a disaster or interruption of services.\n\n\nConfiguration       for DCPDS\n\n      The Navy DCPDS database is networked to regional databases, which, in mm,\n      are linked to HROs at installations throughout the Navy and the Marine Corps.\n      Users at regions and HROs have a network of personal computers, containing\n      system and application software, to facilitate data communication to interact\n      with each other.\n\n      The region maintains application software necessary to perform personnel\n      functions on Hewlett Packard minicomputers. All successfully completed\n      personnel transactions are posted to a regional database, then posted to update\n      the Navy DCPDS database in San Antonio, Texas. The personnel data are\n      transmitted across combinations of local area networks using the Internet\n      Protocol method. Most DOD organizations that use the Internet Protocol\n      method access the DCPDS database using the Not Classified Internet Protocol\n      Router Network.\n\n      The personnel data are not encrypted when transmitted back and forth between\n      Navy regional databases and the Navy DCPDS database in Texas, leaving the\n      data vulnerable to unauthorized access. If unauthorized access to a computer\n      occurs, all of the resident information is at risk, and other connected networks\n      are also in jeopardy.\n\n\n\n\n                                            8\n\x0c                                                   Information Assurance Program\n\n\nInformation Assurance Control Documentation\n    DOD Directive 5200.28 provides mandatory minimum automated information\n    system security requirements for systems that process sensitive-but-unclassified\n    information. Secretary of the Navy Instruction 5239.2 (Navy Security\n    Program 5239.2), \xe2\x80\x9cDepartment of the Navy Automated Information Systems\n    (AIS) Security Program,\xe2\x80\x9d November 15, 1989, which implements DOD\n    Directive 5200.28, requires that the appropriate designated approving authority\n    accredit automated information systems, networks, and computer resources\n    based on a certification and risk management process. Automated information\n    systems not accredited may operate on a local area network if the designated\n    approving authority has issued an interim authority to operate for a period not to\n    exceed 1 year.\n\n    The HRO Pearl Harbor Naval Shipyard and HRO Commander Naval Base Pearl\n    Harbor, which are base-owned, conducted a site accreditation of the DCPDS\n    computer resources as required by the Navy Security Program 5239.2. The\n    HROs provided to the base-level designated approving authority information\n    needed to determine whether the computers are operating within an acceptable\n    level of risk to be placed on the base local area network.\n\n    The HROs submitted accreditation packages to the base Information System\n    Security Officer, who reviewed the packages and submitted them for approval\n    to the designated approving authority. If acceptable, the designated approving\n    authority issues a formal declaration that the DCPDS is approved to operate on\n    the base local area network because it meets a prescribed set of security\n    standards.\n\n\nResponsibilities for DCPDS Information Assurance\n    The DCPDS functional and acquisition managers and the Navy Pacific Region\n    and its HROs all have shared roles and responsibilities in safeguarding the\n    DCPDS personnel data. The organizations must fulfill their responsibilities to\n    achieve information assurance for DCPDS.\n\n    Directorate of Personnel Data Systems Responsibilities. According to the\n    Air Force Personnel Center Pamphlet 38-1, \xe2\x80\x9cOrganizations and Functions,\xe2\x80\x9d\n    April 14, 1997, the Directorate of Personnel Data Systems is responsible for\n    establishing, directing, and managing communications and computer systems\n    security policy and the procedures covering DCPDS at all levels of Federal and\n    DOD organizations.\n\n    Navy Responsibilities. As owner of the personnel data, the Navy is\n    responsible for directing, coordinating, and managing security policy and\n    procedures for Navy and Marine Corps personnel offices using DCPDS. The\n\n\n\n\n                                        9\n\x0cInformation Assurance Program\n\n\n      Navy is also responsible for coordinating and following up on security issues\n      and concerns between the Navy personnel sites and the Directorate of Personnel\n      Data Systems.\n\n      Navy Pacific Region Responsibilities. The Navy Pacific Region maintains its\n      own domain and is responsible for instituting its own security protection\n      mechanisms and procedures as well as for implementing the minimum security\n      requirements in accordance with DOD regulations. To meet minimum security\n      requirements, the Navy Pacific Region must accredit its automated information\n      system. An accreditation is the approval to operate in a particular security\n      mode using prescribed safeguards. Part of the accreditation process is\n      performing a risk analysis of system assets and vulnerabilities to establish an\n      expected loss from certain events based on estimated probabilities of\n      occurrence.\n\n      HRO Responsibilities. The HRO system architecture consists primarily of\n      desktop personal computers that processes sensitive-but-unclassified data. To\n      achieve appropriate measures against threat and vulnerabilities, each HRO is\n      responsible for conducting risk analyses to identify most risks and threats\n      associated with each workstation that processes personnel data.\n\n\nCoordination      With DOD Components\n\n      The DCPDS functional and acquisition project managers did not coordinate with\n      the Navy in their respective security management roles and responsibilities for\n      the DCPDS information assurance program. Specifically, the Directorate of\n      Personnel Data Systems, Air Force Personnel Center, does not have an adequate\n      program in place to coordinate and communicate with DOD Components about\n      their respective security management roles and responsibilities for the DCPDS\n      information assurance program. The Directorate of Personnel Data Systems\n      also has not ensured that DCPDS uses the effective security products and\n      techniques required by Circular A-130. The Directorate of Personnel Data\n      Systems has not provided guidance to DOD Components on safeguards and has\n      not followed up to ensure that the DOD Components have implemented\n      corrective actions to guidance.\n\n      The Directorate of Personnel Data Systems issued guidelines to DOD\n      Component project managers for DCPDS sites to complete an operational\n      certification in the memorandum, \xe2\x80\x9cOperational Certification-Regional Service\n      Centers/Risk Analysis Status, n January 13, 1997 (Operational Certification\n      Memorandum).\n\n      The Operational Certification Memorandum states that the operatioaal\n      certification process is an integral part of ensuring system integrity and risk\n      analysis continuity, and that the DCPDS security process requires a risk analysis\n\n\n\n\n                                          10\n\x0c                                                   Information Assurance Program\n\n\n    or an update of the current one. Checklists for operational certification and risk\n    analysis were included as attachments to the Operational Certification\n    Memorandum.\n\n    The Directorate of Personnel Data Systems did not set milestone dates for the\n    completion of the operational certification and risk analysis. The Operational\n    Certification Memorandum guidance was not coordinated with and followed up\n    by the Navy Pacific Region or its HROs. The Directorate of Personnel Data\n    Systems does not have a method in place to determine when and whether sites\n    have completed the operational certification.\n\n    Coordination of DCPDS security issues is important to provide consistency\n    among all DOD Components operating DCPDS. The lack of coordination is\n    causing DOD Components to take their own approaches to security; that is, they\n    are independently developing their own measures to deal with DCPDS\n    vulnerabilities.\n\n    Corrective Action Taken. Since the audit started, a coordinated DCPDS\n    policy and security support plan was published. The plan defines the respective\n    security management roles and responsibilities for DCPDS.\n\n    Corrective Action Being Taken. Civilian Personnel Management Service, in\n    conjunction with the Central Design Activity security staff, is developing a\n    System Security Annex to the DCPDS Training Support Plan. The Annex will\n    be provided to DOD Components to plan, develop, and execute training\n    strategies for functional and technical personnel involved in the operations of\n    the DCPDS. The Annex will also contain the knowledge, skills, abilities, and\n    training requirements for network security offtcers and users at all operational\n    levels. The System Securitv_ Annex was scheduled to be comnleted\n                                                                   _      by April 30,\n    1998.          -\n\n\nConclusion\n    The Navy Pacific Region, HRO Pearl Harbor Naval Shipyard, and HRO\n    Commander Naval Base Pearl Harbor have made DCPDS information assurance\n    a high priority and have security programs in place. The HRO Marine Corps\n    Base Hawaii Kaneohe Bay took corrective action during the audit by initiating a\n    DCPDS security program.\n\n    The Directorate of Personnel Data Systems developed and provided guidance\n    for the security of DCPDS to DOD Component project managers. The guidance\n    emphasized the priority and importance of effective risk management and\n    security safeguards; however, it did not establish milestone dates for completion\n    or follow-up to determine the status of steps performed. The Directorate of\n    Personnel Data Systems should improve its communication and coordination of\n    guidance issued to ensure the confidentiality, integrity, and availability of Navy\n    and Marine Corps civilian personnel records on DCPDS.\n\n\n\n                                        11\n\x0cManagement     Comments        on the Finding and Audit Response\n\n    The Navy concurred with the finding. Although not required to comment, the\n    Civilian Personnel Management Service provided suggestions on the finding,\n    and we made revisions in consideration of management comments. The full text\n    of the comments is in Part III.\n\n\nRecommendations        and Management            Comments\n\n    We recommend that the Director, Human Resources Offke Marine Corps\n    Base Hawaii Kaneohe Bay:\n\n           1. Complete an overall security plan for the Defense Civilian\n    Personnel Data System.\n\n          2. Complete a contingency plan for the Defense Civilian Personnel\n    Data System.\n\n    Management Comments. The Department of the Navy concurred and is\n    working with the base to develop a security plan and a contingency plan, which\n    will ensure the integrity of the computer systems used to hold personnel data\n    and will include backup security controls and data recovery systems,\n    respectively.\n\n\n\n\n                                       12\n\x0cPart II - Additional   Information\n\x0cAppendix A. Audit Process\n\nScope and Methodology\n\n    Scope. We judgmentally selected three Navy locations and one Marine location\n    to evaluate the adequacy of information assurance for DCPDS.\n\n    Methodology. We conducted on-site reviews of information assurance policies,\n    procedures, and practices. We reviewed the information planning documents\n    such as security policy, security plans, risk analyses, contingency plans, and\n    security test and evaluations dated from November 1989 through November\n    1997. We determined whether system access controls, physical security, and\n    security training and awareness programs were developed and implemented.\n    We reviewed user, system, and network administrator security practices. We\n    identified and interviewed key security personnel such as the Information\n    Systems Security Manager, Information Systems Security Officer, System\n    Administrator, and DCPDS managers. We conducted interviews to determine\n    the level of training provided for DCPDS information assurance.\n\n    Scope Limitations. We did not evaluate the security of network and\n    communications infrastructure because DOD resources were not available to\n    conduct vulnerability assessments.\n\n    Use of Computer-Processed Data. We did not use computer-processed data or\n    statistical sampling procedures to evaluate the adequacy of the DCPDS\n    information assurance.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DOD. Further details are available upon request.\n\n    Audit Period and .Sta.ndards, and Locations. We performed this program\n    audit from June through December 1997 in accordance with auditing standards\n    issued by the Comptroller General of the United States, as implemented by the\n    Inspector General, DOD. Accordingly, we included tests of management\n    controls considered necessary.\n\n\n\n\n                                       14\n\x0c                                                   Appendix A. Audit Process\n\n\n            Control Program\nDOD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26,\n1996, requires DOD organizations to implement a comprehensive system of\nmanagement controls that provides reasonable assurance that programs are\noperating as intended and to evaluate the adequacy of the controls.\n\nScope of Review of the Management Control Program. We reviewed the\nadequacy of Navy management controls as they relate to the DCPDS\ninformation assurance program. Specifically, we reviewed controls for security\nplanning, risk analysis, and security management for DCPDS. We also\nreviewed management\xe2\x80\x99s self-evaluation for those controls.\n\nAdequacy of Management Controls. We identified a material management\ncontrol weakness for the Navy, as defined by DOD Directive 5010.38. The\ncontrols in place for information assurance were not adequate to ensure the\nconfidentiality, integrity, and availability of the DCPDS data. The\nrecommendations in this report, if implemented, will improve the controls for\nprotecting DCPDS data. A copy of this report will be provided to the senior\nofficial responsible for management controls at the Navy.\n\nAdequacy of Management\xe2\x80\x99s Self-Evaluation. The Navy management\nidentified nersonnel offices as assessable units; however, information assurance\nwas not addressed for DCPDS and, therefore,.was not identified or reported as\na material weakness.\n\n\n\n\n                                    15\n\x0cAppendix B. Summary of Prior Coverage\n\nGeneral Accounting Office\n    GAO Report No. AIMD-96-144 (OSD Case No. 1213), WoD General\n    Computer Controls: Critical Need to Greatly Strengthen Computer\n    Security Program,\xe2\x80\x9d September 30, 1996. The report discusses the General\n    Accounting Office evaluation of the general computer controls at several large\n    Navy and Marine Corps computer installations and at selected Defense\n    Information Systems Agency Defense Megacenters. The report notes security\n    weaknesses that would allow hackers and legitimate users to improperly access,\n    modify, or destroy sensitive DOD data. The report recommended a centralized\n    security management program with defined responsibilities, periodic reviews,\n    and monitoring and reporting of improvement actions. DOD management\n    concurred with all findings and recommendations.\n\n    GAO Report No. AIMD-96-84 (OSD Case No. 1150), \xe2\x80\x98%formation\n    Security: Computer Attacks at Department of Defense Pose Increasing\n    Risks,\xe2\x80\x9d May 22, 1996. The report discusses the General Accounting Office\n    review of the extent to which DOD computers are being attacked, the potential\n    for damage, aud the challenges faced in responding to the attacks. The General\n    Accounting Office noted that attacks are increasing and damaging and are a\n    threat to national security. The General Accounting Of&e concluded that\n    policies are out-of-date and inconsistent and that many users are not aware of\n    the magnitude of the problem. The report recommended that the Secretary of\n    Defense strengthen the DOD information systems security program by\n    improving policies and procedures, increasing user awareness, setting standards,\n    monitoring security, and establishing responsibility and accountability. DOD\n    management agreed with the report\xe2\x80\x99s findings and recommendations.\n\n\nOffice of the Inspector General, DOD\n    Report No. 9WJS2, \xe2\x80\x9cInformation Assurance of the Defense Civilian\n    Personnel Data System,\xe2\x80\x9d February 23, 1998. The audit objective was to\n    determine the adequacy of the information assurance program for major\n    automated information systems, specifically to evaluate DCPDS security\n    planning, risk analysis, and security management. The report concludes that the\n    DCPDS information assurance program did not have adequate controls in place\n    to safeguard DCPDS data and resources. As a result, DCPDS has high risks for\n    unauthorized system access, intentional and unintentional alteration and\n    destruction of data, and denial of service to authorized users. The report\n    recommended strengthened oversight and management of DCPDS information\n    assurance. Also, the report recommended the establishment of information\n\n\n\n                                       16\n\x0c                                     Appendix B. Summary of Prior Coverage\n\n\nassurance functional requirements and the implementation of information\nassurance measures to protect DOD civilian personnel data. The Director,\nCivilian Personnel Management Service, stated that, by acquiring C-2 compliant\nsystem hardware and software, no perceivable threats would be in,the DCPDS\nprocessing environment that must be countered by system design. In addition,\nthe Director stated that a computer security response team, representing the\nMajor Automated Information Systems Review Council, identified risks to\nDCPDS through a facilitated risk assessment program, and the acquisition\nprogram manager is developing an action plan to mitigate program risks. The\nDirector nonconcurred with a draft recommendation to revise the operational\nrequirements document to include validated threat information and also\nnonconcurred with the threat requirements and funding to protect the DOD\ncivilian data. The Director stated that the facilitated risk analysis provided a\ncomprehensive list of threats and is a more appropriate analysis for the DCPDS.\nThe Director also stated that he does not recognize coordination with the\nacquisition program manager as a problem and that there are no funding\ndeficiencies for protecting DOD civilian personnel data. The Director agreed\nwith the recommendation to coordinate and approve a certification and\naccreditation plan to protect the DCPDS and commented that his office is\ndetermining which organizational component will serve as the operating DCPDS\ndesignated approving authority. Air Force management and the Assistant\nSecretary of Defense (Command, Control, Communications, and Intelligence)\nmanagement agreed with the report\xe2\x80\x99s fmdings and recommendations.\n\nReport No. 98-024, Ykcurity Controls Over Systems Serving the DOD\nPersonnel Security Program,\xe2\x80\x9d November 19, 1997. The audit objective was\nto evaluate security controls over the computer system serving the.DOD\npersonnel security program, which the Defense Investigative Service\nadministers. The report states that the Defense Investigative Service did not\nhave adequate controls to protect personnel security systems and data from\ncompromise. Therefore, the Defense Investigative Service cannot ensure that\nunauthorized individuals can be prevented from accessing, modifying, or\ndestroying the highly sensitive DOD personnel security infotmation that it\nadministers. The report recommended the Defense Investigative Service to\ncommunicate specific security requirements, modify Memorandums of\nAgreement and contracts to include system security, develop and implement\naccess control policies, isolate critical resources in the system architecture, and\nimprove physical security. The Defense Investigative Service management\nagreed with all recommendations and had initiated actions to improve systems\nsecurity and the systems architecture.\n\nReport No. PO 97-049, \xe2\x80\x9cDoD Management of Information Assurance\nEfforts to Protect Automated Information Systems,\xe2\x80\x9d September 25,\n1997. The audit objective was to determine the effectiveness of DOD\nmanagement of information assurance efforts to protect automated information\nsystems. The report concludes that the security safeguards and practices that\nprotect DOD automated information systems need improvement. Inefficient and\nineffective implementation of the Defense-wide Information Systems Security\nProgram, outdated policies and procedures, inadequate direction and oversight,\n\n\n\n                                     17\n\x0cAppendix B. Summary of Prior Coverage\n\n\n      and lack of accountability for information systems security management controls\n      contributed to the inadequate security safeguards. The report recommended\n      developing procedures to determine the Defense information infrastructure\xe2\x80\x99s\n      security posture, developing an information assurance strategic plan, and\n      incorporating accountability requirements for personnel responsible for\n      safeguarding DOD automated information systems. The Acting Assistant\n      Secretary of Defense (Command, Control, Communications and Intelligence)\n      generally concurred with the fmding and recommendations and, in coordination\n      with the Services, Joint Staff, and Defense agencies, was establishing an\n      integrated management process to extend DOD oversight of information\n      assurance programs and activities to all DOD Components.\n\n\nAir Force Audit Agency\n\n      Project No. 96054027, \xe2\x80\x9cData Communications Security,\xe2\x80\x9d April 15,\n      1997. The audit objective was to determine whether the Air Force adequately\n      protects sensitive-but-unclassified information transmitted over the Air Force\n      Internet. The report concludes that Air Force systems continue to transmit\n      sensitive-but-unclassified information unprotected over the Air Force Internet\n      because the Air Force system managers had not conducted a risk analysis.\n      Users and system managers of 5 of the 11 systems examined were not aware of\n      the increased risk of using the Air Force Internet or of the sensitive nature of\n      the information. The Air Force Audit Agency recommended a risk analysis for\n      each system to identify the current risks of transmitting sensitive-but-\n      unclassified information over the Air Force Internet, as well as to emphasize\n      protection requirements to the designated approval authorities, Air Force\n      management officials agreed with the overall audit results and planned\n      responsive actions.\n\n      Project No. 93058001, \xe2\x80\x9cReview of Personnel Concept III System Security\n      and Equipment Management, \xe2\x80\x9d April 3, 1995. The audit objective was to\n      determine whether selected security and control procedures were properly\n      implemented in the Personnel Concept III computer system. The report\n      concludes that the Air Force did not implement adequate security access\n      protection for the system and did not properly account for computer equipment.\n      The Air Force Audit Agency recommended implementing separation of duty\n      requirements, maintaining consolidated accreditation databases, identifying\n      system threats and areas requiring additional protection, and implementing\n      proper control and authorization of passwords. Air Force management officials\n      agreed with the overall audit results and planned responsive actions.\n\n\n\n\n                                          18\n\x0c                                        Appendix B. Summary of Prior Coverage\n\n\nOther Related Coverage\n\n    Defense Science Board Task Force, \xe2\x80\x9cInformation Warfare-Defense\n    @\xe2\x80\x98W-D),\xe2\x80\x9d November 21, 1996. The task force was established to study the\n    protection of information interests of national importance through a credible\n    information warfare defensive capability. The report concludes that action is\n    needed to defend against possible information warfare attacks against DOD\n    systems that could impact the ability of DOD to carry out its responsibilities.\n    The task force recommended 50 actions ranging from identifying a focal point\n    within DOD for Information Warfare activities to allocating approximately\n    $3 billion over the next 5 years to implement recommendations.\n\n    Joint Security Commission, \xe2\x80\x9cRedefining Security,\xe2\x80\x9d February 28,\n    1994. The Joint Security Commission report addresses the processes used to\n    formulate and implement security policies in DOD and the intelligence\n    community. The Joint Security Commission report concluded that the clearance\n    process was needlessly complex, cumbersome, and costly. The Joint Security\n    Commission report made recommendations to create a new policy structure,\n    enhance security, and lower cost by avoiding duplication and increasing\n    efficiency.\n\n\n\n\n                                        19\n\x0cAppendix C. Glossary\n   Federal and DoD organizations have published numerous definitions for terms\n   to describe conditions, events, and key officials involved with safeguarding\n   automated information systems. We primarily used definitions from DOD\n   Directive 5200.28, \xe2\x80\x9cSecurity Requirements for Automated Information Systems\n   (AISs),\xe2\x80\x9d March 21, 1988 (DOD Directive 5200.28), and definitions from other\n   guidance authorized by that Directive.\n\n   Accreditation. Accreditation is the formal declaration by a designated\n   approving authority that a system is approved to operate in a particular security\n   mode using a prescribed set of safeguards at an acceptable level of risk.\n   Accreditation is the official management authorization for operation of an\n   information system and is based on the certification process as well as other\n   management considerations. The accreditation statement affaes security\n   responsibility with the designated approving authority and shows that due care\n   has been taken for security. (DODDirective 5200.28)\n\n   Certification. Certification is the technical evaluation of an automated\n   information system\xe2\x80\x99s security features and other safeguards, made in support of\n   the accreditation process, which establishes the extent that a particular\n   automated information system\xe2\x80\x99s design and implementation meet a set of\n   specified security requirements. (DODDirective 5200.28)\n\n   Contingency Planning. Contingency plans are required to be developed and\n   tested in accordance with Circular A-130 to ensure that automated information\n   system security controls function reliably and, if not, that adequate backup\n   functions are in place to ensure that security functions are maintained\n   continuously during interrupted service. If data are modified or destroyed,\n   procedures must be in place to recover. (DODDirective 5200.28)\n\n   Interim Authority to Operate. The appropriate designated approving\n   authority will accredit automated information systems, networks, and computer\n   resources based on a certification and risk management process. Automated\n   information systems not accredited may operate if the appropriate designated\n   approving authority has issued an interim authority to operate for a period not to\n   exceed 1 year. (Secrekzry of the Navy Instruction 5239.2, \xe2\x80\x9cDeparhnent of\n   the NavyAutomated Information Systems (AIS) Security Prognun, ?\n   November 15, 1989)\n\n   Risk Aualysis. A risk analysis is an analysis of system assets and\n   vulnerabilities to establish an expected loss from certain events based on\n   estimated probabilities of occurrence. (DODDirective 5200.28)\n\n   Security Awareness Training. Mandatory periodic security awareness training\n   is required for all person involved in management, use, or operation of Federal\n   computer systems that contain sensitive information. (Computer Security Act\n   of 1987, Public Law 100-235)\n\n\n                                       20\n\x0c                                                              Appendix C. Glossary\n\n\n     Security Test and Evaluation. Systems shall be subjected to a site and system\n     specific security test and evaluation to ensure that the environmental and\n     operational security requirements have been met. When feasible, security test\n     and evaluation should be conducted by a third party approved by the designated\n     approving authority. (Secretcuy of the Navy Instruction 5239.2)\n\n    Threat.    A threat is any circumstance or event with the potential to cause harm\n     to an information system in the form of destruction, disclosure, adverse\n     modification of data, or denial of service. (National Security\n     Telecommunicationsand Informa&n Systems Securely Instruction No. 4009)\n    Vulnerability.   Vulnerability is weakness in an information system or its\n    components (system security procedures, hardware design, management\n    controls) that could be exploited. (NationalSecurity Telecommunicationsand\n    Infonnation Systems Security Instruction No. 4009)\n\n\nKey Offkials\n\n     DOD Directive 5200.28 defmes the responsibilities of key officials that affect\n     automated information systems security.\n\n     Designated Approving Authority. The designated approving authority is the\n     official who has the authority to decide whether to accept the security\n     safeguards prescribed for an automated information system or the official who\n     may be responsible for issuing an accreditation statement that records the\n     decision to accept those safeguards. The designated approving authority must\n     be at an organizational level, have authority to evaluate the overall mission\n     requirements of the automated information system, and provide definitive\n     directions to automated information system developers or owners relative to the\n     risk in the security posture of the automated information system. (DOD\n     Directive 5200.28)\n\n     Information Systems Security Manager. The information systems security\n     manager is responsible for planning, directing, and implementing the\n     information security program. The information systems security manager is\n     administratively and operationally responsible for the computer system.\n     Generally, each organization has one information systems security manager.\n     (Pearl Harbor Naval Shipyard Computer Security Handbook, 1996)\n\n     Information System Security Officer. The information system security officer\n     is responsible to the designated approving authority for ensuring that security is\n     provided for and implemented. Specifically, the information system security\n     officer is to:\n\n     l  maintain a plan for system security improvements and progress towards meeting\n     the accreditation,\n\n\n\n\n                                         21\n\x0cAppendix   C. Glossary\n\n\n\n      l  evaluate known vulnerabilities to ascertain whether additional safeguards are\n      needed, and\n\n      l    ensure that audit trails are reviewed periodically. (DOD Directive 5200.28)\n\n      Terminal Area Security Officer.      Terminal area security officers are appointed\n      for computer systems with remote terminal access. The terminal area security\n      officer provides security support to the information system security officer, and\n      reports any problems or security compromises to the information system\n      security  officer. Terminal area security officers may also be assigned as an\n      \xe2\x80\x9cassistant information system security offker\xe2\x80\x9d in areas where the number of\n      systems exceeds the ability of one information system security officer to\n      effectively administer security requirements. (Pearl Harbor Naval Shipyard\n      Computer Security Handbook, 1996)\n\n\n\n\n                                            22\n\x0c    Appendix D. Report Distribution\n\n\n    Offke of the Secretary of Defense\n    Under Secretary of Defense for Acquisition and Technology\n       Director, Defense Logistics Studies Information Exchange\n    Under Secretary of Defense (Comptroller)\n       Deputy Chief Financial Officer\n       Deputy Comptroller (Program/Budget)\n    Assistant Secretary of Defense (Command, Control, Communications, Intelligence)\n.   Under Secretary of Defense for Personnel and Readiness\n       Deputy Assistant Secretary of Defense (Civilian Personnel Policy)\n       Director, Civilian Personnel Management Service\n    Assistant Secretary of Defense (Public Affairs)\n\n    Department of the Army\n    Auditor General, Department of the Army\n\n    Department of the Navy\n    Assistant Secretary of the Navy (Financial Management and Comptroller)\n    Auditor General, Department of the Navy\n    Director, Human Resources Operations Center, Information Technology\n    Director, Human Resources Service Center, Pacific Region\n\n    Department of the Air Force\n    Assistant Secretary of the Air Force (Financial Management and Comptroller)\n    Auditor General, Department of the Air Force\n    Commander, Air Force Personnel Center\n       Technical Director, Directorate of Personnel Data Systems, Air Force Personnel\n          Center\n\n    Marine Corps\n    Director, Civilian Human Resources Office-West\n    Director, Human Resources Office Marine Corps Base Hawaii Kaneohe Bay\n\n\n\n\n                                              23\n\x0cAppendix D. Report Distribution\n\n\n\nOther Defense Organizations\nDirector, Defense Contract Audit Agency\nDirector, Defense Information Systems Agency\nDirector, Defense Logistics Agency\nDirector, National Security Agency\n   Inspector General, National Security Agency\nInspector General, Defense Intelligence Agency\n\nNon-Defense Federal Organizations                and Individuals\nOffice of Management and Budget\n       Information Center, National Security and International Affairs Division,\nTechnical\n  General Accounting Office\n\nChairman and ranking minority member of each of the following congressional\ncommittees and subcommittees:\n\n  Senate Committee on Appropriations\n  Senate Subcommittee on Defense, Committee on Appropriations\n  Senate Committee on Armed Services\n  Senate Committee on Governmental Affairs\n  House Committee on Appropriations\n  House Subcommittee on National Security, Committee on Appropriations\n  House Committee on Governmental Reform and Oversight\n  House Subcommittee on Government Management, Information, and Technology,\n     Committee on Government Reform and Oversight\n  House Subcommittee on National Security, International Affairs, and Criminal\n     Justice, Committee on Government Reform and Oversight\n  House Committee on National Security\n\n\n\n\n                                         24\n\x0cPart III - Management Comments\n\x0c    Department of the Navy Comments\n\n\n\n\n               SUBJZCT:    Audit Rop0z-t on Informtion  A88uranca of the Defanso\n                           Civilia    Pusonnol Dat8 Sys+u  - Navy (Project ISO.\n                           7323-3006 .OZ)\n\n                     Attwhmont 1 warn transmitted     to tha Direotor of Civilim\n               Por8onnml Program,  We&quartus,        United St&e8   Wine  Corps,\n               for raviou lld com8uits.\n\n                     Tha tmputnnt    of the wavy concurs      in   the   report     finding\n               and roc0nendation8.     Datailed qzI;Tzn\n               Atkehnnt    1.\n\n\n\n                                                    BERNARD   ROSTXW\n\n                AttacJmult~:\n                1. DoDIG Dr8ft of A Proposed Audit -port:            Information         Aauruux\n*                    of the Defense Civilirn Pergonnol Data        Symtu -        Navy   (Projat\n                     No. 7RE-3006.02 of Fabru~-y 6, 1999)\n                2. Dmpartnnt. of the Wavy comment*\n\n                copy to:\n                ?JlD-31\n                NAvINSlxN(O7)\n\n\n\n\n    *Omitted because Attachment 1 is a copy of the draft reljort.\n\n\n\n\n                                                     26\n\x0c                                                  Department of the Navy Comments\n\n\n\n\n                    ~putunt         of   thr   Wavy    Comments\n                           DODIQ   Dr.ft"kdit         RmpOrt\n\n             Inforrution    A8mu*nc*Yf    the Dofume             civilim\n                            PUSOnn81   D8t8 6yeu\n                             Projact #7RE-3006.OS\n\n?indiagr    The W8vy P8cifio Region 8nd tvo of it8 thru        hum8n\nrosourco8 office8 h8vo mado Defenmm Civili8n Porsonnol D8t8\nSy8tu    information a~suruwo a high priority       8nd h8va aoaputu\n88curity program8 in place.       Ho~ovu,   information88suranaa for\nit8 HumanResources Offica,       M8rin8 Corps B888 H8V8ii,   K8nooho Bay\n&ill   n0.d irgrOV.MIlt   kC8U8a     it doem Mt  h8VO  8n OVU811\n8ecurity pl8n 8nd contingency plan.\n\nDon r8p1yr     Concur.\n8.-ti8tiO8:       \xe2\x80\x9cW8r8CO-ndth8tth8       Diraotor, BuDWl RO8OUrCU\nOffio8 Icarinm Corpm Barn0 H8V8ii K8noohe B8y oaplote   111 over811\nlocurity pl8n for the Dof8nmo Civili8n P8rwnnel     D8t8 system."\n\nDOW Reply:  Concur.  A mOCWity  pl8n i8 bOing dwoloped   8t\nK8n8oho Bay vhich vi11 onsure the integrity of the oomput8r\n8yet8ms used to hold poroonnal d8t8.\n\nn--tiO8:         \xe2\x80\x9cWo rOeoPmnd   tb8t th0 Director,                   HUMn    RuOUrCU\nOffiCr mina   Corps mS8  H8V8ii Kwwoha My ~jll.ta                       8\ncontingency pl8n for the Dafon8o Civiliur Pu8omol                      bt8    By8tom.\xe2\x80\x9d\n\n\nW   noply:    Concur.   HIW XanOohO B8y i8 vorkingvith the ba80\nCoBDuniCetiOn   Inform8tion Bystau   Dap8rtMnt to dmvolop 8\ncontingency plan vhich vi11 include backup Hcurity     Control8 8nd\nd8t8 rwovery    8y8tUS.\n\n\n\n\n                                                               Att8ahBontz\n\n\n\n\n                                                  27\n\x0cCivilian Personnel Management Service\nComments\n\n\n\n                                          OLMRTTMLNT      O? DEFENSE\n                               CIVILIAN     CCMDNNCL    YANADXYcNT   aIRVIa\n                                               1.00 KCV BOULLVARD\n                                            AKLINDTDN. VA UXOHIU\n\n\n\n\n      MEMORANDUM FOR DIRECTOR,ACQUlSl\xe2\x80\x99llONMANAGEMENT\n                       DIRECTORATE,DEPAR.TMENTOF DEFENSE\n                       INSPECTOR GENERAL\n\n\n      SUBJE(JT:Fmpod AuditReporton infmmation kwance       for Ihe Jkfauc Civiliau\n              Pwsomnd Data System -Navy (f\xe2\x80\x99roject No. 7RE-3006.02)\n\n\n             This m~wcpndum       wnstitumthe timctional pmpncnfr\n                                                               mspooscto the PraporeaAudit\n\n      Rcpoa on   information\n                          Assumna           for tbc Dcfensc Civiliaa PwwnnclDataSystem-Navy,dakd    .\n\n      IJcbnmy6.1998 (Pmjcct No. 7RE4006-02). \xe2\x80\x98lb aUackd document\n                                                              responds\n                                                                     lo thsa@mbk\n\n      findings, identifies w   conccms, and explains lbe nxisions we belicvc am DLccuuy rothalthc\n\n      final repon will ibxurately rcflax the lkfcnsc Civilian krsomtcl Data Syslcm progrun\n\n      information. We apprecilte your coh&alion          of our comments.\n\n\n\n\n      Atm%mcnI:\n      Asslalcd\n\n\n\n\n                                                       28\n\x0c                               Civilian Personnel Management Service Comments\n\n\n                                                                                                 Final Report\n                                                                                                  Reference\n\n\n\n\nAUDIT BACKGROUND\n\nwemeaviuul       htwtudmtasystam~&8nt().                            TheDefemcaviJiw              Revised\nFWwnael Data System (DCPDS) will ptovitk a scamks~ uomatal ioformation system for\ncivilian petsonnel policy actions and petsood deciiions during pcrccimc. cont@encks. and\nwattime. The DCPDS will .suppor~     Military aputmenu   end Defense ageocica wuddwidc  and\nwill bc used by pctsonncl offiiak. cmployeu. mansgas, and senior kadash@ at alI kvck of          Revised\nDoDqxatioos.      TbeDBDSnridLsonamrinfrrrnecompuu~hrupu,thrrcrcpPNc\ndaUbases at Military DepuVncnt or Defense agency kvels to soppat civiIian penamel\nopcr&ns.     TheDCPDSdatabaWsaremliataincdettbcAitPurceInfotmationPmce=iq\nActivity located at Randolph hit Potce Base. San Antonio, Texas. The DCPDS will stem.\nprocess, and ttansmit data fat 750,ooO petwane records. of which 209,000 belong to the Navy\n~MuineCorpruduewhjcacotheRivryActof1974~rbePresdomofInformuion\nAct. PW security pqoses, the DCPDS data re lab&d \xe2\x80\x9csensitive-botu.\xe2\x80\x9d\n\nm           The pqoscd Ianguage my c0ah.u mdetx since it does not distinguish between the\nlegacy DCPDS and the modem DCPDS still under dcv&pmeM. To avoid ccnliuion we\nB            the subetitutiw of the foIlowing language. which clarifies the dist&&n between\nthclcgacyfXYPDSaodthcmodanDCPM.               Alw,thepqwsedlanguagecortectsatechaical\naror, in that, the kgacy DCPDS mainf\xe2\x80\x99ranxs that suppott DOD Military Suvices and Pe&tal\nAgencies (other than an Au Potcc pottion) UC not located at Randolph APB. Texas.\n\n-lkfmseavitiul-                Data System. The legacy Defense Civilian fWsomxJ Data\nSystem (DCPDS) is an automsted infotmation system that is the standsrd LkD civilian ptmotd\nmystun. ThckllryDCPDSbuKdtodocumurtudsroncivilirn~rtioarfathc\nDepurmart\xe2\x80\x99s employees. The system praure         satsitive-but-uncia&ial   peMNlel\ninfotmation. ThekgacyDCPDStcsitksonamsi&atwcomputerandhassepuatedat&a=sat\nhfilitaty Dcp;lrcmcnl ot Dcfenac agency levels to soppott civilii paroanel opem&tU. Tht\nkgscy-           daUmscsatemaintainedUtbbfmselafcnmationSystemsAgencyDcfamc\nMcgauatct, San Antonio. located at Kelly AFB, Texas. DCPDS stmes, pmcesus andtransmit\ndata for 750.000 pmonncl twotds. of which 209,000 belong to the Nwy ad Matine bps and\natesubjccttotbePtivacyActof      1974aadtheFtecdomoflnfotmationAct.\n\nTo suppott the tegion&atiott ofcivilii pusonncl se&x tklivety. the tk+n~&          developal a\nsuite of wftware epplicatiotts c&led Pemomxl Process Impmvetnmts (PPls) thet operate in\ncunjunction with date from the kgacy DCPDS ia a ciicot-sctvet enviroamnt     The PPI Suite\npovideslaeLaroaicmcrnrtoplraptc,routc,~~prwMelrtiolu;~urd\nclassify positions; iaitiatc. mute, and tmck training tcq~&; and rcus tbs parallel dat&ase\nandassociateddataftomotherfunctiotulatcu.\n\n\n\n\n                                            29\n\x0c               Civilian Personnel Management Service Comments\n\n\nFinal Report\n Reference\n\n\n\n\n                          Thc&ptmcntisnowintbspcrasofdcvalopingamodemDCPDS.              Thciimctimalityofthe\n                          PPlSuitcwillbcinchxWinthcmadcn,DCPDS.          TbcmodunDCPDSwiJlpmvickr-\n                          ~~infomvtions~thuwill~~paronnclpdicy~aumdperrwaeldecirioar\n                          duting pma%in~. contingencies. and wartime. The Mom DCPDS will support compooenU\n                          World*.\xe2\x80\x9d\n\n\n\nRCViX!d                   Tk Navy Rqions (first paramh),           \xe2\x80\x98-The DCPDS will cuabk tbc Miliuy ~mcntr            and\n                          the Dcfenre agencies to process. store. and transmit civilian penonncl mco& on m             at 23\n                          ngional service enters.\xe2\x80\x9d\n\n                          Rcswnw:      Them are 22 mgional service centera under the cunent pmgram. Tk Defense\n                          Mapping Apcy regional service center, which achieved full opemting capability in FY 1995.\n                          was realigned under the National Imagmy and Mapping Agency (NM).            Due to its change in\n                          security classitkation status NIMA is no longer counted as part of the rcgioMlizatial pmgram.\n                          Recommad tbc &ntcncc be changed to IrEadLs foltows:\n\n                          Tk modcm DCPDS will enable the Military Dcpmncnts and the Defense agencies to process.\n                          store. and transmit civilian pc?sonncl Iculfds on databases at 22 regional savice centem.\xe2\x80\x9d\n\n                          The Navy ltegkm @aryPph 2). \xe2\x80\x9cAdditionally, the Navy DCPDS datab~ intczfaccs with\nF&&d\n                          other DOD and Federal timctional dalpbpILcs;for example. paymll and the Of&x of Mampucnt\n                          and Budgu.\xe2\x80\x9d\n\n                          m           The Navy DCPDS does nut have m intafxe with the Office uf Management and\n                          Budge& The Navy DCPDS does provide data to the Hendquartcrs Navy System. which. in tum.\n                          produces a tape to be sent to the Office of Persome h4anagcment to update the Ccatr8l\n                          puronocl Data File. Raxmmcnd that thii ~~~tcnce be revisal IOmad:\n\n                          eAdditimally. tbc Navy DCPDS database feeds data to otbcr DOD databases, for exanple\n                          Defense Civilian Paymll System and the Headquarters Navy System.\xe2\x80\x9d\n\n                          INFORlKATlON\n                                    A!3!NRANCE PROGRAM\n\n                          Page 5, Paragraph 2. \xe2\x80\x98Fur&r, th DCPDS functional and rcquisitim pmgrhm manager6 did\n                          not coordin~~ with Navy about their mspcctivc security manapmcnt roles and mspaasibilities\n                          foe the DCF\xe2\x80\x99DS information assurance pmgmm.\xe2\x80\x9d\n\n                          Cmrdiaatlon with DOD Comp~~~~tr (page 10, puagmpb 6). \xe2\x80\x9cIlw DCPDS fuoaional nnd\n                          acquisition project managers did not wordinatc with tbc Navy in &heirmspective security\n                          management mlts and responsibilities for the DCPDS inform&m assurance pmgram.\xe2\x80\x9d\n\n                          Caotdktion       with DOD Comptmez~ts @ge 11, paragraph 4). \xe2\x80\x98%ordinationof DCPDS\n                          security issues is important to provide consistency among all DOD Cotnponcnts uprating\n                          DCPDS. Tbc lsck of Ewpdination is causing DoD Components to take tbcii own apprcacbcs to\n                          security; that is. they arc iw         y developing their own mcasums to dul with DCPDS\n                          vulncr8bilitics.\xe2\x80\x9d\n\n\n\n\n                                                                        30\n\x0cCivilian Personnel Management Service Comments\n\n\n                                                 Final Report\n                                                  Reference\n\x0c\x0cAudit Team Members\n\nThe Acquisition Management Directorate, Office of the Assistant Inspector\nGeneral for Auditing, DOD, produced this report.\n\nThomas F. Gimble\nMary Lu Ugone\nCecelia A. Miggins\nKathleen Fitzpatrick\nDorothy L. Dixon\nMichael T. Carlson\nBemice M. Lewis\n\x0c\x0c'